MITRE ATT&CK is an evolving knowledge base of known adversary tactics, techniques, and procedures. It is also a phenomenal resource for defenders. We should know. SenseOn was one of the first cybersecurity vendors to fully integrate ATT&CK and use its insights to help organisations map their detection, prevention, and remediation plans.
In a recent webinar, SenseOn’s Founder and CEO Dave Atkinson and SenseOn’s Senior Product Manager Harry McLaren came together to talk about ATT&CK and the value it can provide to security teams.
The webinar was filled with valuable lessons about how ATT&CK helps keep organisations safer.
This blog covers some of those points but for an in-depth look at the best ways to use ATT&CK, as well as to learn how SOC teams can misinterpret the framework and how to judge depth vs breadth of coverage, make sure to watch the webinar here.
As per Dave’s own military experience, it requires a lot more effort and resources to overcome a position than to hold it. Conventional military knowledge is that attackers need a force three times larger than defenders in order to succeed. There are exceptions to this rule, but it almost always takes an overwhelming force to defeat determined defenders.
The reason why is that defenders: “know the terrain and build the defenses on it [and thus know them even better], have a chance to prepare the plans and the armaments, train the troops in place.”
This is what former Gartner analyst Anton Chuvakin wrote in a 2014 blog post titled “On “Defender’s Advantage.””
Chuvakin’s point was that the idea of a defender’s advantage could also be applied to cybersecurity. After all, security teams know their landscape better than hackers—in theory, at least. The problem, said Chuvakin, is that many organisations squander this advantage. Most don’t even know it exists. This lack of tactical awareness is a major security problem.
ATT&CK is one solution to this issue. It gives cybersecurity professionals a framework for taking note of their potential advantage and actively capitalising on the benefits their situation creates.
To understand how, it helps to think of ATT&CK from two sides:
When you drill down into ATT&CK, the how and why of the cybersecurity defender’s advantage jumps out.
By understanding who is likely to attack and what techniques they might try to use to achieve their objectives, security teams can use ATT&CK to figure out where they need to put in place security controls, what data they need to focus on protecting, and which techniques and sub-techniques they need to be able to detect.
ATT&CK gives defenders a roadmap for finding out where attacks are going to come from.
A significant aspect of this process is being able to prioritise adversaries. There are hundreds of threat groups and thousands of subgroups and offshoots.
To discern where targeted attacks are likely to come from, defenders need to research past attacks experienced by other organisations in their industry and see what techniques were used by which groups. At least some of the techniques will probably overlap across multiple groups.
Once security professionals know who is likely to target their organisations and how attacks are likely to occur, it becomes easier to prioritise detection and prevention efforts.
ATT&CK Navigator is a great tool for visualising defensive coverage and building defence in depth. However, as Dave and Harry discuss in the webinar, leveraging Navigator’s true capabilities is not quite as straightforward as it might seem at first glance.
The layout of ATT&CK Navigator resembles a spreadsheet with columns and rows. Rows are tactics, and columns are the techniques and sub-techniques related to a particular tactic a threat actor might use.
When a security team starts using Navigator to map their security controls, they will probably do something straightforward like colour-code the areas where they do and do not have coverage (for example, green for “yes” and grey for “no”).
This mapping process will give teams a broad understanding of their security coverage. But it will not show them the full in-depth picture. The reason why is that cybercriminals can apply a single technique or sub-technique in many different ways.
Take Mimikatz, a common tool in an adversary’s tool kit, as an example. An organisation might create a detection rule that says, “if mimikatz.exe launches from the command line, issue an alert.” In theory, this means that the organisation has coverage against Mimikatz. But what if a threat actor renames it, and it becomes “mimiexplore.exe” or “windowsexplore.exe”? The detection no longer fires.
Detections in Depth can help counter this issue and cover the kind of attack chains described in ATT&CK.
Detections in Depth means taking advantage of choke points within a network environment. These are the places where security teams can and should deploy detective capabilities that generate data when things happen, i.e., endpoints, the cloud, network, etc.
Organisations should leverage ATT&CK insights to build detections on top of these choke points in their digital estates, using different detection methods, like signatures, rules, supervised and unsupervised machine learning, and deceptions to get depth, not just breadth, of coverage.
Another benefit of ATT&CK is that it gives security teams a powerful method for justifying investment, reporting value, and tracking maturity based on coverage, not vanity metrics.
For example, reducing the number of alerts might seem like a win, but does it actually indicate your security posture has gotten any better? Maybe or maybe not.
Without a framework like ATT&CK, which allows you to track your security posture based on what threats are covered versus what threats are not, metrics are, at best meaningless and, at worst, deceiving. Case in point, it’s possible to end up with fewer alerts by down-tuning your EDR/NDR/SIEM/etc. and actively harming your security posture.
With ATT&CK, another way opens up.
By identifying the top threats and putting in place controls proven to detect and stop them across different environments, security teams can demonstrate where their security resources are going and what the real business results are.
This means that reports can say things like, “In the last 12 months, we have identified these 10 threats as posing the most risk to our organisation. To counteract them, we have implemented three detections for threat number one, four detections for threat number two, etc.” No vanity metrics needed.
Taking telemetry from across an organisation’s entire digital estate, SenseOn learns and analyses network, endpoint, and cloud activity and maps malicious behaviour to the kind of attack techniques described by ATT&CK.
SenseOn does all this automatically, only firing off alerts for human analysts when genuine threats emerge within their environment.
To learn about how SenseOn automates ATT&CK, read our blog post here. For insight into how to use ATT&CK (and mistakes to avoid), watch our webinar.
To try SenseOn’s product, check out our free demo.